The recent ransomware outbreak is a reminder to us all that we can never become complacent regarding data security. Protecting a network is a continuous task of evaluation, monitoring, and re-evaluation. This may seem a little scary, so here are some basic areas to focus on to help prevent and protect against most attacks.
The Gate Keepers
Protecting the perimeter of a network is the first line of defense. Unfortunately, most companies know the least about this area. It is critical to understand what traffic is allowed in and out of your network, and why. Yes, I also said what traffic is allowed out, but we’ll come back to that. Inbound traffic, or ingress as we like to say, should be very restrictive. The flow should have a specific purpose, and allowed only to a specific location. Think of it this way, if a stranger knocks on your front door and asks to use the bathroom, and you were in a really good mood, you may let him in, but only to the bathroom and nowhere else. You definitely wouldn’t want him snooping around your bedroom. Your network is the same way. You must know what doors (ports) are open, and where traffic is allowed to go. Now back to the outbound, or egress, traffic. Why is this important? When a virus or malware makes its way into a network, often its initial function is to make a call out to a malicious site. By controlling outbound traffic you can mitigate this type of risk. For example, outbound web traffic should pass through a proxy server and mail traffic should pass through a spam filter.
Protect from Within
Be aware of how a user can bring files inside the network. Downloads, email attachments, links, external storage devices, such as USB attached flash drives, are all potential risks. As an organization, it is important to understand these risks and implement restrictions to mitigate them.
Account management is a key component of network security. Know which accounts are privileged and limit the use of general admin accounts – no one should be using the ‘administrator’ account! Have an enforced policy regarding unique user ID’s and password restrictions. Your users may not be happy about it, but they’ll get used to it.
Update and Patch
I know it’s a pain, but staying current on Windows Updates and Anti-Virus Software is VERY important. Think about it, over 300,000 computers would not have been affected last week if only they were current on their security updates. Consider using a patch management system to help. Most AV software packages come with some type of central management console without an additional charge. Windows Server Update Services (WSUS), which comes with the Windows server operating system, can manage the deployment of Windows Updates to all your Windows based clients, even if they’re not a domain joined computer.
Avoid unsupported Operating Systems. Once software reaches a certain age, the vendor no longer develops security updates or other patches that protect against vulnerabilities. This goes beyond virus protection. For example, Windows XP uses very weak cryptography to encrypt data. Many websites today block access from these machines due to higher level encryption requirements.
Don’t Stop Teaching
Educating your users is a never ending task. They may get annoyed with it, but repeated reminders really do help. Beyond new hire orientations and email announcements, be creative. The more enjoyable it is for your users, the better chance they’ll remember. Lunch-n-Learns or breakout sessions during an “all employee” or department meeting are things to consider. It’s also a great way to build the relationship between IT and other departments.
Teach your users to Just Say “No” to:
- Email attachments that prompt to enable macros
- Email attachments or links that come from an unknown email address
- Emails that just don’t look right
When all else fails, make sure you can recover. The reality is that we all end up in a situation where we have to restore data. When it comes to recovery, you should know these two things:
1. Recovery Time Objective (RTO) – how long can a system or core application be down or off-line
2. Recovery Point Objective (RPO) – how much data can you afford to lose
Having a clear understanding of the RTO and RPO that your business can tolerate is the primary guide to your data protection strategy. Local backups are the basic first step. This should be a well-oiled machine with notifications of success and failures. Offsite backups protect against isolated events like fire, theft and corruption of local backups due to malicious software. Physically rotating backup media offsite was the standard for a long time, but is now being replaced with online cloud backup services. If RTO/RPO time frames are too tight to wait for system wide restores from backup, consider a hot-site solution using replication for immediate failover.
Don’t wait for a crisis to test your ability to recover data. Perform periodic tests so that you’re 100% confident you can.
Watch and Listen
Having a good monitoring and alert system is a great way to help you quickly isolate and cease malicious activity on your network. Adding a syslog server allows you to store event notifications in a database, giving greater flexibility on alerts and reporting.